Know When HITECH Trumps Payer Contracts
With so many Health Insurance Portability and Accountability Act (HIPAA) changes coming down the pike, it’s a great time to look at how privacy and security laws may impact your practice and compliance plan.
In a recent U.S. Department of Health & Human Services (HHS) press release, HIPAA expands the individual rights of patients to their health information. According to the press release, “The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”
This means patients can ask for copies of their electronic health records (EHRs). And when it comes to billing, it also means a patient who wants to pay cash can instruct the provider to not share treatment information with his or her health plan.
Keep Billers Compliant
According to Michael D. Miscoe, JD, CPC, CASCC, CUC, CCPC, CPCO, CHCC, here is why it is important to not bill insurance when a patient pays out-of-pocket:
“Although HITECH does not address billing directly, when a patient pays for a service out-of-pocket and instructs (through an appropriate ‘Restrictions on Uses and Disclosures Form’) that you may not disclose PHI associated with that service for payment or health care operations, you are prevented from submitting a claim since by doing so you would be disclosing PHI. If you chose to bill the service anyway, it would be an unauthorized disclosure constituting a breach. This may subject the provider to a penalty, which could be quite substantial if OCR determines the conduct was reckless (usually due to incomplete or non-compliant HIPAA privacy and security policies). Therefore, when the patient makes such a request, HITECH trumps any perceived contractual duty to file a claim because it can’t be done without violating a federal law. A contractual provision that requires you to violate a law is generally unenforceable.
Usually, the patient is paying cash because the service is non-covered. Most provider contracts as well as the Medicare statute do not require submission of claims for non-covered services on behalf of the beneficiary in any event.”
Under the pre-HITECH regulations, you could ignore the patient’s request not to file the claim. Under HITECH, you cannot.
If a patient pays in full out-of-pocket and does not want to bill insurance, according to Miscoe, here are the best steps to take to stay compliant with HITECH:
- Have the patient sign a request that information relative to self-paid services not be disclosed (usually called a Restrictions on Uses and Disclosures Form). Note that self-paid services do not include circumstance where the patient ultimately pays the entire value of the service because of a deductible. The patient’s signed restriction on such disclosures absolutely precludes the provider from submitting a claim for those services. As noted above, the provider is protected from any allegation regarding provider contract breach for not billing by the patient or the carrier, even assuming such an obligation existed.
- Flag these records somehow so they are not disclosed to the health plan should the health plan make a request. The easiest way is to keep them in a separate file. If that’s not an option, clearly mark the record as “Not for Disclosure for Payment or Health Care Operations.”
- If you are sending the records to another provider (which is permissible), make sure the provider knows the records cannot be sent to the health plan due to the patient’s request. A big red stamp or other notation saying the records may not be disclosed in response to a carrier’s payment or health care operations request should suffice.